| Message ID | 20171011112336.11263-1-aaptel@suse.com |
|---|---|
| State | New |
| Headers | show |
| Series | CIFS: Fix NULL pointer deref on SMB2_tcon() failure | expand |
2017-10-11 4:23 GMT-07:00 Aurelien Aptel <aaptel@suse.com>: > If SendReceive2() fails rsp is set to NULL but is dereferenced in the > error handling code. > > Cc: stable@vger.kernel.org > Signed-off-by: Aurelien Aptel <aaptel@suse.com> > --- > fs/cifs/smb2pdu.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 7aa67206f6da..eb658b641ded 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -1168,7 +1168,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, > struct smb2_tree_connect_req *req; > struct smb2_tree_connect_rsp *rsp = NULL; > struct kvec iov[2]; > - struct kvec rsp_iov; > + struct kvec rsp_iov = { NULL, 0 }; > int rc = 0; > int resp_buftype; > int unc_path_len; > @@ -1285,7 +1285,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, > return rc; > > tcon_error_exit: > - if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { > + if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { > cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree); > } > goto tcon_exit; > -- > 2.12.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html Good catch, Ronnie, Aurelien! Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> It seems like the issue exists even before SendReceive2() refactoring but wasn't triggered until DFS support was added. -- Best regards, Pavel Shilovsky -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 7aa67206f6da..eb658b641ded 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1168,7 +1168,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, struct smb2_tree_connect_req *req; struct smb2_tree_connect_rsp *rsp = NULL; struct kvec iov[2]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int rc = 0; int resp_buftype; int unc_path_len; @@ -1285,7 +1285,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, return rc; tcon_error_exit: - if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { + if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree); } goto tcon_exit;
If SendReceive2() fails rsp is set to NULL but is dereferenced in the error handling code. Cc: stable@vger.kernel.org Signed-off-by: Aurelien Aptel <aaptel@suse.com> --- fs/cifs/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)